Stanford Security Seminar

What does it mean to own our genes?

Arvind Narayanan

Abstract:

Given that each of us shares genetic material with our blood
relatives, to what extent can one expect to keep one's genetic
information private? I will consider this question with respect to an
attacker equipped with large-scale (albeit incomplete and "noisy")
information about the blood relationships in a large population group,
i.e, a genealogical graph.
Given this kind of auxiliary information, it turns out that the
availability of genotype information of a small fraction of
individuals -- as little as 0.2%, in preliminary experiments -- is
enough to cause the majority of the population to lose any hope of
genetic privacy. I will describe a strong inference attack that allows
the attacker to re-identify completely anonymous genetic material,
such as pieces of hair collected en masse from public spaces without
the consent or even the knowledge of the potential victims.
There are many ongoing efforts aimed at aggregating genealogical data
on a massive scale. As I will show, the compilation of the "world's
family tree" is a matter of time. Further, there are several
population groups for which enough auxiliary data is already available
to leave them vulnerable to genetic re-identification.
There is no purely technological fix to this attack. I will briefly
present policy prescriptions that may delay ubiquitous genetic
re-identifiability, and argue that genetic privacy norms must change
to accommodate the new technological reality